1. Field of Invention
This invention relates to cryptographic applications incorporating Common Data Security Architecture (CDSA). More particularly, the invention relates to systems and methods to support varying maximum cryptographic strength for CDSA applications.
2. Background Discussion
Vendors that manufacture applications that require encryption/decryption incorporate cryptographic libraries in their applications. However, for export, cryptography is controlled by Government regulations. By default, cryptographic strength is constrained to weak crypto (e.g., 56 bit DES.). Special industries, for example, financial, can use xe2x80x9cstrongxe2x80x9d crypto (e.g., 168 bit DES.). Vendors usually statically link cryptographic libraries into their applications. Vendors cannot easily change from one cryptographic library to another because the Application Programming Interfaces (APIs) vary between different vendors"" libraries. The Common Data Security Architecture (CDSA) provides programmable interfaces for cryptographic and digital certificate services using a xe2x80x9cplug and playxe2x80x9d model. The CDSA Specification is attached as Appendix 1 and is available from the Intel Corporation, 5200 N.E. Elam Young Parkway, Hillsboro, Oreg. 97124-6497. The Specification is also available from cdsa@dbmg.com. With CDSA, security service providers may support varying strengths of cryptographic algorithms. Normally for a given implementation of CDSA, all applications will be allowed to use the union of all algorithms in cryptographic strengths provided by the registered service providers.
However, there is sometimes a need to allow the same implementation of CDSA to support the cryptographic needs of multiple applications, each of which needs to be constrained to a particular maximum cryptographic strength. For example, financial applications in non-U.S. jurisdictions may be allowed to use 168 bit strength cryptography, while non-financial applications may only be allowed to use 56 bit strength cryptography. What is needed is an improved system and a method to allow a single CDSA implementation to control the maximum cryptographic strength of various applications based on a configurable cryptographic control policy enforced by the CDSA framework.
An object of the invention is a system and method to provide an application with varying cryptographic strength based on a configurable cryptographic control policy implemented in the application.
Another object is a system and method creating a crypto context for an application implemented by the CDSA framework.
Another object is a data structure in a CDSA framework identifying exemptions or privileges contained in applications for varying the cryptographic strength of the application.
These and other objects, features and advantages are achieved in an improved CDSA system(CDSA-I) including a standard CDSA framework coupled via an Application Program Interface, to an application requiring cryptographic support. During manufacture, a cryptographic control privilege is incorporated into the application, as part of an exemption mechanism, which exemption may or may not be enforced by the CDSA framework. For maximum cryptographic strength, an application must be signed by a private key controlled by the CDSA framework vendor. Inside the CDSA framework, the corresponding public key is used to verify at runtime those application that were appropriately signed. The CDSA framework is coupled via a Service Provider Interface (SPI) to a plurality of pluggable modules for performing cryptographic operations, storing signed digital certificates for applications, and trust policies relating to cryptographic strengths. The framework is initialized to provide the cryptographic support for the application at which time it reads a vendor-signed cryptographic control policy file that determines the cryptographic key lengths at which various algorithms are considered cryptographically strong. All APIs for cryptographic operations require a crypto context so the application then requests the CDSA framework to create a crypto context given an algorithm ID, key and key length. By default, all crypto contexts are assigned the default or xe2x80x9cweakxe2x80x9d level of crypto. If the application has been authorized to use strong crypto by virtue of being signed, it next calls the API to request an exemption. The CDSA framework using a data structure determines if the application is signed or privileged to perform strong crypto according to the crypto context based on the previously read cryptographic control policy file. A flag is set in framework-controlled crypto context data structure if the application is entitled to strong crypto. Otherwise, the flag is not set and the application will be stopped from using strong crypto when the APIs is called to encrypt data.